if operator and ?

There are two forms of ternary expression you can use in Sumo Logic queries: one is constructed using the IF operator, and the other uses the question mark (?) operator. The syntax varies slightly, but the results are equivalent. You can use the syntax you're most comfortable with.

These expressions are used to evaluate a condition as either true or false, with values assigned for each outcome. It is a shorthand way to express an if-else condition. On the basis of the test, the entire expression returns value_if_true if the condition is true, else value_if_false if the condition is false. The two sub-expressions (value_if_true and value_if_false) must have the same type.

Syntax

if(<condition>, <value_if_true>, <value_if_false>) as <field>

Examples

... | if(status_code matches "5*", 1, 0) as servererror | ...

... | if(status_code matches "2*", 1, 0) as success | ...

... | if(!(status_code matches "2*"), 1, 0) as failure | ...

Nested if statement (if...elseif...else)

To create nested if statements, your query should use the following syntax:

Recommended articles

Sumo Logic is the industry’s leading secure, cloud-native, machine data analytics service, delivering real-time, continuous intelligence across the entire application lifecycle and stack. More than 1,000 customers around the globe rely on Sumo Logic for the analytics and insights to build, run and secure their modern applications and cloud infrastructures.